1 2/20/03 Link Security Scenarios Ali Abaye Charles Cook Norm Finn Russ Housley Marcus Leech Mahalingam Mani Bob Moskowitz Dave Nelson Antti Pietilainen Allyn Romanow Dan Romascanu Dolors Sala Mick Seaman Dennis Volpano Glen Zorn

2 2/20/03 Business Scenarios

3 2/20/03 Business Applications Scenario B1: EPON Security – FTTH/FTTB (provider network) Scenario B2: IEEE 802 Link Security – 802.3ah copper (DSL) network (copper is easy to tap) – Any 802 Enterprise network (networking devices in secure locations) Scenario B3: Secure Bridged Networks – Layer 2 provider networks (networking devices are not in secure locations)

4 2/20/03 Trust Scenarios

5 2/20/03 Scenario T0: Secure Link Definition: – A single link is secured – Security mechanism addresses MAC vulnerabilities Requirements/Assumptions: – Communication is secure on the wire only – Network device must be in trusted buildings for a complete secure architecture – MACs required to support: all topologies Business Applications: – EPON scenario where ONU is inside home or business and OLT in CO building

6 2/20/03 Scenario T1: Single-hop Secure Bridged Network Definition: – Securing a bridged network by securing each link independently – Security scope is the MAC and packet is forwarded in clear to bridge level – This case is a cascade of several T0 Scenarios (each one can potentially operate with a different MAC) Requirements/Assumptions: – Still, communication is secure on the wire but not in the network devices – Network device must be in trusted buildings for a complete secure architecture – It does not effect the bridge functionality but it does require an extended (secure) MAC in every port of the bridge (infrastructure upgrade) – Links already secured by other means can continue using the existing security mechanism (examples: , , links) Business Applications: – Same as Scenario T0 – Enterprise Layer 2 networks (networking devices are in trusted buildings)

7 2/20/03 Scenario T2: Multi-hop Secure Bridged Network Definition – Securing a bridged network by transparently bridging encrypted packets – Security is only applied at the entrance of the packet (either by the end station or closebridge) or trusted points – Can use existing bridged networks to transport the secured packets Requirements/Assumptions – No security assumptions on network infrastructure – Requires a transparent secure data encryption (SDE) protocol – Needs some awareness of security in the network: Every device (case T2.1): any bridge can take the function. Simpler at bridge level but more upgrades Few devices (case T2.2): Requires a discovery protocol to replace a security-aware bridged for another security-aware bridged during topology changes – Should operate with any IEEE802 MAC Business Applications – Provider Access/MAN environments

8 2/20/03 Scenario T3: End-to-end Secure Layer 2 Communication Definition: – Security is done station to station – Network is not aware of security Requirements/Assumptions – Stations (or end system) must support security mechanism – SDE protocol must be transparent – This is a simple case of multi-hop secure bridged network

9 2/20/03 Functional Scenarios Classification of scenarios based on functionality needed: F1: Link Protection (High Priority for networks) – Addresses scenarios T0 and T1 F2: Adjacent bridge-to-bridge (High Priority) – Addresses trust scenario T2 with infrastructure T2.1 F3: Non-adjacent bridge-to-bridge (Medium/Low Priority) – Addresses trust scenario T2 with infrastructure T2.2

10 2/20/03 Business Level Requirements Theft of service To separate customers from each other Ability to keep billing records Consistency between media (smooth transition)

11 2/20/03 Objectives Select and/or specify: A transparent secure data encryption (SDE) mechanism (high priority) A link protection mechanism for networks if added functionality is needed in 1. (high priority) A discovery protocol (low priority)